JP2009139990A - Technology for preventing unauthorized access to information - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent information of an information processing apparatus, from being accessed in an unauthorized manner by loss or theft. <P>SOLUTION: The information processor is provided with a storage device; a division part dividing data stored in the storage device into a predetermined first number of pieces of partial data of a reference number or more than this by a secret dispersion method, requiring the predetermined reference number of pieces of the partial data in the restoration of the data; a transmission part for transmitting at least one piece of the partial data among the first number of pieces of the divided partial data, to at least another information processor, and deleting them from the storage device; an accessing part for accessing at least one piece of the partial data from at least another information processor and storing them in the storage device, when the data are restored to the storage device; and a restoration part for restoring the data to the storage device, based on the reference number of pieces of the partial data, on the condition that the reference number of pieces of the partial data be stored in the storage device by the acquisition of the partial data. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a technique for preventing unauthorized acquisition of information. In particular, the present invention relates to a technique for preventing unauthorized acquisition of information stored in a storage device of an information processing apparatus.

  In recent years, thin clients have been used in information systems used by companies and the like in order to prevent inadvertent leakage of information. The thin client does not include a nonvolatile storage device such as a hard disk drive. Therefore, various data used for business is stored not in the thin client but in the server device. For this reason, information is not leaked due to theft of the thin client, and safety is high.

Thin client implementation methods are classified into image transmission methods and screen transmission methods. The image transmission method is a method in which the operating system and other data are transmitted from the server device to each thin client when the thin client is activated. These data are deleted when the thin client is powered off. The screen transmission method is a method in which an output of a program executed on the server device, for example, a screen image is transmitted to the thin client, and a user input to the thin client is transmitted from the thin client to the server device.
JP 2003-132229 A JP 2007-122446 A

  Adopting an image transmission scheme can result in very large network traffic due to the operating system and other data. For example, assuming a corporate information system, the network load is concentrated on the start time, and a long waiting time may occur in starting each thin client.

  On the other hand, a countermeasure may be considered in which only the basic part of the operating system is stored in a nonvolatile storage device in the thin client, and only the update difference and user data are transmitted from the server device to the thin client. As an example, a method of setting the C drive of the personal computer to be non-volatile and the D drive to be volatile corresponds to this. However, with this measure, user data can be stored in a storage device (for example, C drive) in the thin client, which may reduce safety.

  In the screen transmission method, since the server device individually executes programs for a large number of thin clients, the load on the server device may be very high. For example, assuming a corporate information system, the processing load of application programs that have conventionally been run on each personal computer is concentrated on a single or a small number of server devices. May be required. In addition, the operations that can be performed by such a server device are limited to programs corresponding to multi-users, and the degree of freedom is felt low for users accustomed to using ordinary personal computers. .

  As described above, in an information system using a thin client, there is often a trade-off between safety and reduction of communication / processing load. Accordingly, an object of the present invention is to provide an information processing apparatus, method, and program that can solve the above-described problems. This object is achieved by a combination of features described in the independent claims. The dependent claims define further advantageous specific examples of the present invention.

In order to solve the above-described problem, in the first embodiment of the present invention, an information processing apparatus capable of communicating with at least one other information processing apparatus, the storage device and data stored in the storage device are stored. The data is restored by a secret sharing method that requires a predetermined reference number of partial data, and a dividing unit that divides the data into a predetermined first number of partial data equal to or more than the reference number, When transmitting at least one partial data of the first number of partial data to at least one other information processing device and deleting it from the storage device, and when restoring the data to the storage device, the other An acquisition unit that acquires at least one partial data from at least one information processing device and stores the partial data in the storage device; and On condition that partial data of the serial reference number is stored, based on the partial data of the reference number, to provide an information processing apparatus and a restorer for restoring the data to the storage device. A method and program for processing data by the information processing apparatus are also provided.
The above summary of the invention does not enumerate all the necessary features of the present invention, and sub-combinations of these feature groups can also be the invention.

  Hereinafter, the present invention will be described through embodiments of the invention. However, the following embodiments do not limit the invention according to the scope of claims, and all combinations of features described in the embodiments are included. It is not necessarily essential for the solution of the invention.

  FIG. 1 shows an example of the overall configuration of an information system 10 according to the present embodiment. The information system 10 includes a server device 100 and a plurality of client devices (for example, client devices 110A-D) that are communicably connected to each other via a communication network. The server apparatus 100 is an example of an information processing apparatus, and may be a stationary computer called a host computer, for example. The server device 100 often stores important data such as confidential business information. Therefore, the server apparatus 100 is provided in a highly secure dedicated room that is provided separately from the normal office room.

  The client apparatus 110A is an example of an information processing apparatus, and may be a portable computer such as a notebook type or a laptop type. Alternatively, the client device 110A may be a PDA (Personal Digital Assistant) or a mobile phone. Each of the client devices 110B-D is substantially the same as the client device 110A except that it is managed by a user different from the client device 110A.

  The client device 110A is provided in an office room where a general employee enters and exits, or in an employee's home working at home. Therefore, it is desirable not to store important data such as confidential business information in the client device 110A. The information system 10 according to the present embodiment aims to prevent leakage of confidential information even when the client device 110A having relatively low security is stolen or lost. Furthermore, according to the present embodiment, the necessary bandwidth of the communication network and the processing capability required for the server device 100 can be reduced compared to the case where all confidential information is stored in the server device 100. A specific description will be given below.

  FIG. 2 shows an example of a functional configuration of the client apparatus 110A according to the present embodiment. The client device 110A has a hardware configuration substantially the same as a personal computer called a so-called PC. Specifically, the client device 110A includes a CPU 1000, a ROM 1010, and a storage device 104 as main hardware. The ROM 1010 is a read-only nonvolatile storage device, and stores a program that operates independently of an operating system (hereinafter referred to as an OS), such as a BIOS program.

  The storage device 104 is a storage device capable of writing as well as reading, such as a hard disk drive. The storage device 104 stores various data used by the user for business, such as an OS program and user data. Specifically, the storage device 104 stores a business OS program 20 and user data 22 used for business by the user, and a personal OS program 24 and user data 26 used by the user for personal use. ing. Each of the business OS program 20 and the personal OS program 24 includes not only a basic part of an operating system called a so-called kernel but also various application programs associated therewith.

  As an example, when a Windows (registered trademark) operating system is employed as the OS, the storage device 104 stores the business OS program 20 in the “C: \ Windows” folder and the user data 22 as “C”. : \ MyDocuments "folder. On the other hand, the storage device 104 may store the personal OS program 24 in the “D: ¥ Windows” folder and store the user data 26 in the “D: ¥ MyDocuments” folder.

  The CPU 1000 functions as various systems by executing programs stored in the ROM 1010 and / or the storage device 104. Specifically, the CPU 1000 functions as the BIOS 200 by reading and executing a BIOS program from the ROM 1010, for example, when the client apparatus 110A is activated. With the function of the personal OS 220, the CPU 1000 reads the business OS program 20 from the storage device 104 and executes it. As a result, the CPU 1000 functions as the business OS 210.

  A user performs various tasks by using an application program operating on the business OS 210 or the business OS 210 itself. As a result, the storage device 104 stores user data 22 including business secrets, for example. Further, the CPU 1000 may read and execute the personal OS program 24 from the storage device 104 by a so-called multi-boot function provided in the BIOS 200. As a result, the server device 100 functions as the personal OS 220. The user works using an application program or the like that runs on the personal OS 220. As a result, the user data 26 is stored in the storage device 104.

  When the user ends the business, the user often ends the operation of the client device 110A. The case where the operation is terminated is, for example, a case where the power of the client device 110A is shut off or the client device 110A is shifted to a standby state or a hibernation state. In such a case, if the confidential information is stored in the storage device 104, the confidential information may leak due to theft or loss of the client device 110A. In order to prevent this, the CPU 1000 functions as a data management system 230 that manages data in the storage device 104. For example, the data management system 230 may be realized by a program stored in the ROM 1010 or the like.

  Specifically, first, when receiving an instruction to end the operation of the client apparatus 110 </ b> A, the data management system 230 reads the business OS program 20 and the user data 22 from the storage device 104. Then, the data management system 230 archives the business OS program 20 and the user data 22 to generate archive data. Then, the data management system 230 uses the secret sharing method that requires a predetermined reference number of partial data to restore the generated archive data to a predetermined first number that is equal to or greater than the reference number. Divide into partial data pieces. Here, the reference number is three and the first number is four. The partial data generated in this way is referred to as partial data 28-1 to 28-4.

  Then, the data management system 230 selects at least a part of the partial data 28-1 to 4-4, here the partial data 28-1 to 3-3, and transmits the selected data to at least one other information processing apparatus. Delete from the storage device 104. As a result, for example, the partial data 28-1 is transmitted to the server device 100 and stored in the storage device in the server device 100, and the partial data 28-2 is transmitted to the client device 110B and stored in the storage device in the client device 110B. The stored partial data 28-3 is transmitted to the client device 110C and stored in the storage device in the client device 110C. The partial data 28-4 is still stored in the storage device 104. Then, the data management system 230 continues the termination process according to the instruction, thereby shutting off the power supply of the client device 110A or shifting the client device 110A to the standby mode or the like.

  Here, at least three pieces of partial data are required to restore the original archive data. On the other hand, the storage device 104 stores only one partial data. For this reason, even if the client device 110A is stolen and the data in the storage device 104 is analyzed by a malicious user, data including business secrets cannot be restored. Also, due to the characteristics of the secret sharing method, it is not possible to restore even part of the original archive data with only less than three partial data, and it should be used as a clue to the analysis work for restoration. I can't even do it.

  When the data management system 230 receives an instruction to resume the operation of the client apparatus 110A (for example, an activation instruction or an instruction to cancel the standby mode), the data management system 230 is another information processing apparatus, in this case, the server apparatus 100, the client apparatus 110B, and the client apparatus. Request a partial data return to 110C. The data management system 230 restores the business OS program 20 and the user data 22 to the storage device 104 based on the returned partial data 28-1 to 28-3 and the already stored partial data 28-4. To do. Then, the data management system 230 resumes the operation of the business OS 210 by continuing the process of resuming the operation of the client device 110A.

  FIG. 3 shows the state of the information system 10 after transmitting each partial data. As a result of the transmission of the partial data 28-1 to 28-3 from the client device 110A, the partial data 28-1 is stored in the server device 100, and the partial data 28-2 is stored in the client device 110B. The client device 110C stores partial data 28-3, and the client device 110A stores partial data 28-4.

  In this state, the client OS 110A cannot operate the business OS 210. On the other hand, the personal OS 220 can be operated in the client device 110A. In other words, a legitimate user can take the client device 110A out of the office and use it for other purposes, and even if it is used in such a way, business secrets are not leaked.

  FIG. 4 is a conceptual diagram of a process for dividing archive data and generating each partial data. In the threshold secret sharing method, the first number, which is the number of partial data generated by division, and the reference number, which is the number of partial data necessary for restoration, can be set as parameters. FIG. 4 shows an example of the threshold secret sharing method when four are set as the first number and three are set as the reference number.

  Such a threshold secret sharing method is expressed as SSS (4, 3) using an acronym of Secret Sharing Scheme, which is an English notation of the threshold secret sharing method. The four partial data generated by this method are referred to as partial data 28-1 to 28-4. If at least any three of these partial data are not prepared, the original data cannot be restored.

  Then, according to the threshold secret sharing method, as long as the partial data exceeding the reference number is not prepared, even if it is analyzed in an infinite calculation time by a high-performance computer, one bit of the original data cannot be restored. Is mathematically proven. In this respect, it is possible to keep the secret extremely safely as compared with an encryption method that may be decrypted by the appearance of a future high-performance computer or the discovery of a decryption algorithm.

  Therefore, the data management system 230 has a number (for example, 3) exceeding the number obtained by subtracting the reference number from the first number (1 in this example) so that the original data cannot be restored by the client device 110A alone. Pieces of partial data may be transmitted to another information processing apparatus. Further, in order to make it difficult to restore the original data as much as possible, the data management system 230 desirably transmits a plurality of partial data to different information processing apparatuses. As described above, the use of the secret sharing method can make it extremely difficult for a malicious user to restore archived data. An example is shown in FIG.

  FIG. 5 shows the state of the information system 10 when the client device 110A is stolen or lost. If the client device 110A is stolen or lost, the partial data 28-4 stored in the client device 110A may be illegally acquired. However, as already described, the original data cannot be restored based only on the partial data 28-4.

  Accordingly, if the partial data 28-1 to 28-3 are also obtained illegally, it is necessary to steal the server device 100 and the client devices 110B-C together. As described above, since the server device 100 is specially managed, it is very difficult to steal the server device 100. Also, the client devices 110B-C may be geographically separated from the client device 110A depending on the configuration of the communication network, so it is quite difficult to steal the client devices 110A-C together. There are many cases.

  Furthermore, compared to the anti-theft measures for the client device 110A alone, there are many cases where sufficient countermeasures are taken against unauthorized intrusion into the communication network at present. It is also quite difficult to acquire the partial data 28-2 and the like from the client device 110B-C and the like. Furthermore, this unauthorized acquisition is considered to be extremely difficult because it is limited to the time zone in which the server device 100 and the client device 110B-C are operating, for example, business hours.

  As described above, according to the information system 10 according to the present embodiment, unauthorized acquisition of information by stealing the client device 110A can be made extremely difficult. Also, as shown in FIG. 6 below, according to the information system 10 according to the present embodiment, the convenience for the user is hardly reduced.

  FIG. 6 shows a state of the information system 10 when the client device 110C is in a dormant state. When the user starts the client device 110A and starts a job, at least three pieces of partial data are necessary. Therefore, the client device 110A requests the server device 100 and the client devices 110B-D to return partial data. Assuming that the client apparatus 110A is activated at the start time in a company or the like, it is expected that most of the server apparatus 100 and the client apparatuses 110B-D are already operating or will be activated soon.

  In the example of FIG. 6, since the server device 100, the client device 110B, and the client device 110D are in operation and the client device 110C is inactive, the client device 110A receives a partial data reply from the server device 100 and the client device 110B. As a result, since the client device 110A can acquire three pieces of partial data, it is possible to restore the user data 22 to the storage device 104 and start work. As described above, since the activation can be performed even when a part of the transmitted partial data is insufficient, in an environment where business is performed in the same time zone such as an organization such as a company, it is hardly expected that the activation fails. Moreover, since the parameter of the secret sharing method can be set arbitrarily, it is possible to make it difficult to cause a start failure by adjusting the parameter according to the use environment.

Further, each of the client devices 110B-D may have the same function as the client device 110A, and each of the client devices 110A-D may transmit partial data to each other. An example is shown in FIG.
FIG. 7 shows the state of the information system 10 when the client apparatus 110D divides the OS program 70 and transmits it to another computer in this embodiment. The client device 110D stores an OS program 70 for use in the work of the user of the client device 110D.

  Then, the client device 110D divides the archive data of the OS program 70 into a plurality of partial data by the secret sharing method. The partial data generated as a result is referred to as partial data 72-1 to 72-3. Then, the client apparatus 110D transmits each of the generated partial data 72-1 to 72-1 to other information processing apparatuses that can communicate via the communication network, for example, the server apparatus 100, the client apparatus 110A, and the client apparatus 110C. To do. Thereby, even if the client device 110D is stolen, leakage of information included in the OS program 70 or the like can be prevented.

Next, the archive data division and restoration processing function by the secret sharing method will be described in detail.
FIG. 8 shows an example of a functional configuration of the data management system 230 according to the present embodiment. The data management system 230 includes a dividing unit 700, a transmitting unit 710, an acquiring unit 720, a restoring unit 730, a receiving unit 740, a providing unit 750, and an encryption unit 760. At the end of the operation of the client device 110A, the dividing unit 700 reads the business OS program 20 and the user data 22 from the storage device 104, and generates archive data of the business OS program 20 and the user data 22.

  The dividing unit 700 converts the generated archive data into a predetermined first number greater than the reference number by a secret sharing method that requires a predetermined reference number of partial data to restore the data. Divide into partial data. These generated partial data are referred to as partial data 28-1 to 28-4.

  The dividing unit 700 is not limited to the archive data as long as the data is stored in the storage device 104 as a target of division. For example, the dividing unit 700 may divide data that is not archived data from the storage device 104 as long as the data is used when the client device 110 is activated next time. An example of such data is an encryption key described later, for example. Details will be described later.

  Further, the first number and the reference number may be arbitrarily set according to the user's environment as long as the condition that the first number is equal to or more than the reference number is satisfied. Further, the difference between the first number and the reference number, or the ratio of the reference number to the first number can be arbitrarily set, and the first number and the reference number itself may be automatically determined.

  For example, the dividing unit 700 determines the number of other information processing apparatuses that can receive the partial data by transmitting a request for inquiring whether the partial data can be received to each of the other information processing apparatuses. The first number and the reference number may be set based on the number. As an example, if the number of receivable information processing devices is 10, the first number is set to 10 and the reference number is set to 7 by subtracting a predetermined number 3 from the first number. May be set.

  The transmission unit 710 transmits at least one partial data among the divided first pieces of partial data to at least one other information processing apparatus and deletes it from the storage device 104. In order to prevent the archive data from being restored by the client apparatus 110A alone, it is desirable that the number of partial data to be transmitted / deleted exceeds the number obtained by subtracting the reference number from the first number.

  As an example, the transmission unit 710 transmits the partial data 28-1 to the server device 100, the partial data 28-2 to the client device 110B, and the partial data 28-3 to the client device 110C. delete. On the other hand, the dividing unit 700 may store the remaining partial data 28-4 among the generated partial data in the storage device 104.

  On the other hand, the acquisition unit 720 restores data to the storage device 104 when the client device 110A is activated next time. When restoring data, the acquisition unit 720 acquires at least one partial data 28 from at least one other information processing apparatus and stores it in the storage device 104. The acquisition unit 720 may acquire at least the partial data 28 corresponding to the difference between the number of partial data 28 already stored in the storage device 104 and the reference number. For example, when one partial data 28 is already stored in the storage device 104 and the reference number is 3, the acquisition unit 720 acquires at least two partial data 28 from another information processing device. .

  Then, the restoration unit 730 transfers the data to the storage device 104 based on the reference number of partial data on the condition that the reference number of partial data is stored in the storage device 104 when the partial data 28 is acquired. Restore. Specifically, the restoration unit 730 restores the business OS program 20 and the user data 22 to the storage device 104. As a result, the operation of the business OS 210 based on the business OS program 20 starts.

With the above processing functions, confidential information is divided into a plurality of partial data by the secret sharing method and distributed and stored in a plurality of information processing devices. Therefore, even if the information processing device is stolen alone, the confidential information Leakage can be prevented. Further, since it is not necessary to store all the confidential information in the server apparatus 100, it is possible to prevent concentration of processing load and network load of the server apparatus 100.
In order to reduce the load on the network more than the above processing, instead of the archive data, an encryption key obtained by encrypting the archive data may be stored in a distributed manner. An example is shown below.

  The dividing unit 700 generates an encryption key for encrypting the archive data of the business OS program 20 and the user data 22 stored in the storage device 104 during the operation of the client device 110A, not at the end of the operation. And stored in the storage device 104. Preferably, the dividing unit 700 may periodically update the generated encryption key. This regular update can reduce the risk that the encryption key is obtained illegally. This encryption key is not limited to one based on a specific type of encryption method. As an example, the encryption key may be a sufficiently long secure key such as 1024 bits.

  The dividing unit 700 divides the encryption key into the first number of partial data every time the encryption key is generated or updated. The transmitting unit 710 transmits each of the divided partial data pieces to each of at least one other information processing apparatus, for example, the server apparatus 100 and the client apparatuses 110B-C. Since the data size of the encryption key transmitted by such processing is sufficiently smaller than the archive data itself, the load on the network and other information processing apparatuses can be reduced.

  In this case, at the end of the operation of the client apparatus 110A, the encryption unit 760 archives the business OS program 20 and user data 22 to generate archive data, and encrypts the generated archive data with the encryption key. And stored in the storage device 104. Also, the encryption unit 760 deletes the encryption key used for encryption from the storage device 104. As a result, the business OS program 20 cannot be restarted unless the encryption key is acquired, so that leakage of information due to theft of the client device 110A itself can be prevented.

  The partial data of the encryption key used for encryption has already been transmitted to another information processing apparatus by the transmission unit 710 when the encryption key is generated or updated. Therefore, the encryption unit 760 does not assume the presence of another information processing apparatus when the operation ends. For this reason, even when the transmission destination of partial data is insufficient, such as when working in an organization such as a company until only one person is late, the confidential information in the client device 110A is encrypted to make the client device 110A appropriate. Can be terminated.

  In this processing example, the operation of the acquisition unit 720 is the same as the operation of the acquisition unit 720 described above, except that the partial data is not for the archive data itself but for the encryption key. However, the restoration unit 730 performs processing corresponding to encryption. Specifically, the restoration unit 730 restores the encryption key to the storage device 104 based on the reference number of partial data stored in the storage device 104. Then, the restoration unit 730 decrypts the archive data (encrypted at the end of the operation) stored in the storage device 104 with the encryption key, thereby operating the business OS 210 based on the business OS program 20. Let it begin.

  FIG. 9 shows a first example of a processing flow of the information system 10 according to the present embodiment. When the client apparatus 110A receives an instruction to end the operation of the client apparatus 110A, such as an instruction to shut off the power supply (S900), the operation of the drawing starts. First, the dividing unit 700 converts the data stored in the storage device 104 into a predetermined number greater than or equal to the reference number by a secret sharing method that requires a predetermined reference number of partial data to restore the data. The data is divided into one piece of partial data (S910).

  In the example of FIG. 9, specifically, the data to be divided is archive data of the business OS program 20 and user data 22. More specifically, as described above, the dividing unit 700 may generate and divide archive data of files in the Windows folder and the Document folder of the C drive. Alternatively, when the types of operating systems are different, the dividing unit 700 may generate archive data of another specific folder or file instead. Alternatively, the dividing unit 700 may generate archive data of the entire file system in the dividing unit 700.

  The secret sharing method used for the division is, for example, a threshold secret sharing method. As described above, according to the threshold secret sharing method, even if partial data less than the reference number is acquired, even one bit of the original data cannot be restored, and it cannot be used as a key for restoration. Thereby, the original data can be safely stored. Alternatively, the secret sharing method used for the division may be a ramp type secret sharing method. According to the ramp-type secret sharing method, the size of each partial data can be reduced without substantially reducing the security.

  Further, ALL or Notifying Transform (AONT) may be used as a secret sharing method. For details, refer to the website (http://trusted-solutions.jp/core/aont.html). When certain data is converted by ALL or Notifying Transform (AONT), even if part of the converted data is lost, the data before conversion cannot be restored at all. Using this property, the dividing unit 700 converts data (for example, archive data) stored in the storage device 104 by AONT, and converts the converted data into a first number of parts, for example, for each predetermined byte size. Divide into data. In this case, the first number and the reference number are equal. As a result, as long as all the first number of partial data are not acquired, the original data can be kept secret at all.

  Next, the transmission unit 710 selects an information processing apparatus as a transmission destination of the partial data in order to transmit the divided first number of partial data (S920). For example, the transmission unit 710 may randomly select a plurality of information processing devices from other information processing devices that can communicate with the client device 110A. It is desirable that the information processing apparatus to be selected is different each time. Further, it is desirable that the number of information processing apparatuses to be selected is larger than the number obtained by subtracting the reference number from the first number. For example, assuming the conversion by SSS (4, 3), the transmission unit 710 selects a larger number of information processing apparatuses than 4 obtained by subtracting 3 from 4.

  Moreover, it is desirable that the information processing apparatuses to be selected are installed geographically apart. In order to realize this, for example, the storage device 104 stores in advance instruction information indicating the range of the position where the information processing device is installed in association with each of the plurality of information processing devices connected to the communication network. Yes. An example of the instruction information is an IP address, for example.

  According to the configuration of the communication network, the numerical value of a predetermined digit on the upper side of the IP address is displayed in the range of the position where the information processing apparatus is installed, for example, a country, a state, a prefecture, a city, a building, or a department. It may be associated. In this case, the transmission unit 710 can determine the range of the position where each information processing apparatus is installed based on the IP address. Alternatively, the instruction information may be a character, a numerical value, a symbol, or a combination thereof that directly points to a range of positions such as a country, state, prefecture, city, building, or department.

  In this case, when there are a plurality of other information processing devices that can communicate with the client device 110A, the transmission unit 710 determines the position where each of the other information processing devices is installed as the instruction information. Judgment based on. Then, the transmission unit 710 selects a plurality of information processing devices with different positions from each other among the plurality of other information processing devices as the information processing device that is the destination of the partial data. In the example of FIG. 9, a total of three information processing apparatuses, the server apparatus 100 and the server apparatuses 100B-C, are selected.

  Then, the transmission unit 710 transmits a number of pieces of data, for example, three partial data larger than the number obtained by subtracting the reference number from the first number, to each of the server device 100 and the server devices 100B-C, and stores them. Delete from the device 104. The transmission unit 710 preferably transmits different partial data to a plurality of destination information processing apparatuses. In response, for example, the receiving unit 740 of the server device 100 receives the partial data 28-1 (S922), the receiving unit 740 of the client device 110B receives the partial data 28-2 (S924), and the client device 110C. The receiving unit 740 receives the partial data 28-3 (S926).

  Then, the client device 110A shuts off the power supply of the client device 110A (S930). As a result, even if the client device 110A is stolen in a state where the power is cut off, sufficient partial data for restoring the original data is not stored in the client device 110A, so that leakage of confidential information can be prevented. .

  Subsequently, the client device 110A starts an operation upon receiving an instruction to activate the client device 110A (S940). Specifically, the client apparatus 110 </ b> A may read the BIOS program and the data management system 230 program from the ROM 1010 and cause the CPU 1000 to execute them. First, the acquisition unit 720 of the data management system 230 transmits a request for returning partial data to at least one other information processing apparatus in order to acquire partial data (S950).

  Specifically, the acquisition unit 720 may broadcast a request for returning partial data to each of at least one other information processing apparatus. A specific example for realizing this is as follows. First, in order to be able to appropriately reply to a reply request, in S920, the transmission unit 710 transmits information identifying the client apparatus 110A that is a reply destination in association with the partial data, and the destination It is stored in the information processing apparatus.

  The acquisition unit 720 broadcasts the identification information of the client device 110A in association with the reply request. In the information processing apparatus that has received this request, the providing unit 750 may read and return partial data corresponding to the identification information received in association with this request from the storage device in the information processing apparatus (S952, S954). And S956). Specifically, the identification information may be a MAC (Media Access Controller) address of the client device 110A. However, the identification information is not limited to this MAC address.

  Instead, the acquisition unit 720 may transmit a request to return partial data only to an information processing apparatus that is a partial data transmission destination among at least one other information processing apparatus. A specific example for realizing this is as follows. First, in order to be able to appropriately recognize the information processing apparatus that is the transmission destination, in S920, the transmission unit 710 transmits each of the plurality of partial data to each of the other information processing apparatuses, and also each of the transmission destinations. The identification information of the information processing apparatus is stored in the storage device 104. These pieces of identification information may be stored in a removable medium such as a USB memory instead of the storage device 104.

  Then, the acquisition unit 720 reads the identification information from the storage device 104 and transmits the reply request to the information processing apparatus identified by the read identification information. (Alternatively, the computer loaded with the removable medium reads the identification information from the removable medium and transmits the reply request to the information processing apparatus identified by the read identification information.)

  Thereby, since the request is transmitted only to the information processing apparatus of the transmission destination, the network traffic can be reduced compared with the broadcast. Further, if the providing unit 750 of the information processing apparatus that has received the request simply returns the partial data, the data can be appropriately restored in the client apparatus 110A.

As yet another example, a server device such as the server device 100 may centrally manage which device has transmitted the partial data to which device. An example of the realization method will be described with reference to FIG.
FIG. 10 shows an example of various information recorded in the server device 100 according to the present embodiment. When transmitting the partial data in S920, the transmission unit 710 identifies the identification information (for example, login ID) of the user who has logged into the client apparatus 110A, the server apparatus 100 that is the transmission destination of the partial data, the client apparatus 110B, and The identification information of the user who has logged into the client device 110C is associated with the server device 100 and registered in the server device 100. The registered information is called transmission destination management information. An example is shown in the upper side of FIG.

  Server apparatus 100 stores user AAA in association with user CCC, user BBB, and user ADMIN in the destination management information. This transmission destination management information is transmitted from the information processing apparatus in which AAA is logged in to the information processing apparatus in which CCC is logged in, the information processing apparatus in which BBB is logged in, and the information processing apparatus in which ADMIN is logged in. , Indicating that partial data has been transmitted.

  On the other hand, as shown in the lower part of FIG. 10, the server apparatus 100 stores login management information. In the login management information, identification information (machine identification information, for example, an IP address) of each information processing apparatus is recorded in association with identification information of a user who has logged in to the information processing apparatus. This login management information is generated when each client device 110 registers the login name and the IP address of the client device 110 in association with each other when the user logs in.

  The acquisition unit 720 transmits a reply request based on these pieces of information. Specifically, first, the acquisition unit 720 specifies identification information of a user who has logged in to the client device 110A. Then, the acquisition unit 720 transmits the identification information to the server device 100. The server device 100 uses the received identification information as the user identification information of the transmission source, and searches the transmission destination management information for the user identification information of the transmission destination corresponding to the identification information. For example, if the user AAA is logged in to the client apparatus 110A, the users BBB, CCC, and ADMIN associated therewith are searched.

  Then, the server apparatus 100 searches the login management information for machine identification information corresponding to each searched user identification information. As a result, for example, three pieces of identification information “192.168.0.X”, “192.168.0.Y”, and “192.168.0.Z” are searched. The retrieved identification information is returned to the client device 110A. In response to this, the acquisition unit 720 transmits a request for returning partial data to the information processing apparatus identified by each identification information received.

  Returning to the description of FIG. Next, on the condition that the reference number of partial data is stored in the storage device 104 by acquiring the partial data 28, the restoration unit 730 transfers the data to the storage device 104 based on the reference number of the partial data. Is restored (S1180). Specifically, the restoration unit 730 restores the business OS program 20 and the user data 22 to the storage device 104. In this case, the acquisition unit 720 may inquire the server apparatus 100 whether the restored business OS program 20 is the latest version. When the business OS program 20 is not the latest version, the acquisition unit 720 acquires, from the server device 100, differential update data between the business OS program 20 and the latest version OS.

  Thus, the difference update data may indicate a difference in units of programs. Instead of this, the difference update data may indicate a difference in units of archive data, or may indicate a difference in units of file systems. Then, the acquisition unit 720 updates the business OS program 20 with the acquired difference update data. As described above, the management of the business OS program 20 may be a hybrid type of the method based on the secret sharing method and the method acquired from the server device 100.

  Then, the acquisition unit 720 starts the operation of the business OS 210 based on the business OS program 20 (S1190). When the client apparatus 110A ends the operation again, the client apparatus 110A returns to the process of S900 and repeats the process of FIG. Also, each of the client device 110B, the client device 110C, and the client device 110D operates substantially the same as the client device 110A, and thus the description thereof is omitted.

  FIG. 11 shows a second example of the processing flow of the information system 10 according to the present embodiment. In this second example, instead of the archive data itself, an encryption key for encrypting the archive data is divided and transmitted by the secret sharing method. Specifically, first, the dividing unit 700 of the client apparatus 110A generates an encryption key for encrypting archive data or updates an already generated encryption key (S1100).

  Next, the dividing unit 700 divides the generated or updated encryption key into the first number of partial data (S1110). Then, the transmission unit 710 transmits at least one partial data of the divided first pieces of partial data to at least one other information processing apparatus and deletes it from the storage device 104 (S1120). Here, for example, each of the three partial data is transmitted to each of the server device 100, the client device 110B, and the client device 110C.

In response to this, each of the receiving unit 740 of the server device 100, the receiving unit 740 of the client device 110B, and the receiving unit 740 of the client device 110C receives and stores the partial data (S1122, S1124, and S1126).
The client apparatus 110A repeats the above processing periodically, for example, until receiving a power-off instruction.

  When the client device 110A receives an operation end instruction, for example, a power-off instruction (S1130), the encryption unit 760 of the client device 110A stores the business OS program 20 and user data 22 stored in the storage device 104. Archive data is generated, and the archive data is encrypted with the latest (ie, most recently updated) encryption key (S1140). The encrypted archive data is stored in the storage device 104. When the encryption is completed, the client device 110A deletes the encryption key from the storage device 104 and shuts off the power (S1150).

  After that, when the client device 110A receives an instruction to start the client device 110A (S1160), the acquisition unit 720 of the client device 110A receives the partial data from each of the server device 100, the client device 110B, and the client device 110C. It is acquired and stored in the storage device 104 (S1170). That is, each of the server device 100, the client device 110B, and the client device 110C provides the partial data received in S1120 from the client device 110A in response to a request from the client device 110A (S1172, S1174, and S1176).

  Then, the restoration unit 730 transfers the data to the storage device 104 based on the reference number of partial data on the condition that the reference number of partial data is stored in the storage device 104 when the partial data 28 is acquired. Restoration is performed (S1180). Specifically, the restoration unit 730 restores the encryption key to the storage device 104. Then, the restoration unit 730 decrypts the archive data with the encryption key, decompresses the decrypted archive data, and restores the business OS program 20 and the user data 22. As a result, the operation of the business OS 210 based on the business OS program 20 starts (S1190).

  However, as described above, the restoration unit 730 may acquire an update difference of a program such as an OS from the server apparatus 100, update the program with the update difference, and then execute the program. As a result, data such as the OS before the update can be prevented from remaining in the client apparatus 110A, and the user of the client apparatus 110A can feel as if using an update difference type thin client. You can always use the latest OS.

  As described above, according to the second example described with reference to FIG. 11, not the archive data itself but the encryption key for encrypting it is transmitted, so that the load on the network can be further reduced. In addition, since the encryption key is periodically updated, the risk of the illegal decryption of the encryption can be reduced. Furthermore, since the encryption key can be transmitted periodically, for example, regardless of the power-off timing, even if a sufficiently large number of information processing devices are not operating at the time of power-off, the confidential data Can be protected properly.

  FIG. 12 shows an example of the hardware configuration of the client apparatus 110A according to the present embodiment. The client apparatus 110A includes a CPU peripheral unit including a CPU 1000, a RAM 1020, and a graphic controller 1075 connected to each other by a host controller 1082, a communication interface 1030, a hard disk drive 1040, and the like connected to the host controller 1082 by an input / output controller 1084. An input / output unit having a CD-ROM drive 1060 and a legacy input / output unit having a ROM 1010 connected to an input / output controller 1084, a flexible disk drive 1050, and an input / output chip 1070 are provided.

  The host controller 1082 connects the RAM 1020 to the CPU 1000 and the graphic controller 1075 that access the RAM 1020 at a high transfer rate. The CPU 1000 operates based on programs stored in the ROM 1010 and the RAM 1020, and controls each unit. The graphic controller 1075 acquires image data generated by the CPU 1000 or the like on a frame buffer provided in the RAM 1020 and displays it on the display device 1080. Alternatively, the graphic controller 1075 may include a frame buffer that stores image data generated by the CPU 1000 or the like.

  The input / output controller 1084 connects the host controller 1082 to the communication interface 1030, the hard disk drive 1040, and the CD-ROM drive 1060, which are relatively high-speed input / output devices. The communication interface 1030 communicates with an external device via a network. The hard disk drive 1040 is an example of the storage device 104, for example, and stores programs and data used by the client device 110A. The CD-ROM drive 1060 reads a program or data from the CD-ROM 1095 and provides it to the RAM 1020 or the hard disk drive 1040.

  The input / output controller 1084 is connected to the ROM 1010 and relatively low-speed input / output devices such as the flexible disk drive 1050 and the input / output chip 1070. The ROM 1010 stores a boot program executed by the CPU 1000 when the client device 110A is activated, a program depending on the hardware of the client device 110A, and the like. The flexible disk drive 1050 reads a program or data from the flexible disk 1090 and provides it to the RAM 1020 or the hard disk drive 1040 via the input / output chip 1070. The input / output chip 1070 connects various input / output devices via a flexible disk 1090 and, for example, a parallel port, a serial port, a keyboard port, a mouse port, and the like.

  The program provided to the client device 110A is stored in a recording medium such as the flexible disk 1090, the CD-ROM 1095, or an IC card and provided by the user. The program is read from the recording medium via the input / output chip 1070 and / or the input / output controller 1084, installed in the client apparatus 110A, and executed. The operation that the program causes the client device 110A to perform is the same as the operation in the client device 110A described with reference to FIGS.

  The program shown above may be stored in an external storage medium. As the storage medium, in addition to the flexible disk 1090 and the CD-ROM 1095, an optical recording medium such as a DVD or PD, a magneto-optical recording medium such as an MD, a tape medium, a semiconductor memory such as an IC card, or the like can be used. Further, a storage device such as a hard disk or RAM provided in a server system connected to a dedicated communication network or the Internet may be used as a recording medium, and the program may be provided to the client device 110A via the network.

  As described above, according to the embodiment described with reference to FIGS. 1 to 12, the data stored in the client device is distributed by the secret sharing method and stored in another device, so that the confidential information is stored in the client device itself. You can choose not to save. As a result, a normal client device such as a personal computer can be operated like a thin client without increasing the communication network and the server device.

  In fact, according to the verification by the inventors of the present application, even if the system according to the present embodiment is introduced without using a conventional communication network or server device as it is, it is sufficiently practical. It was confirmed. Specifically, if a conventional thin client using the image transmission method is introduced without increasing the conventional communication network or server device, it will take several tens of minutes to start one client device. In short, it is not practical. In addition, if a conventional thin client adopting a screen transmission method is introduced without increasing a conventional communication network or server device, it is impractical because severe frame dropping occurs on the screen display. On the other hand, in this embodiment, the activation of one client device is completed in a few minutes, and it has been confirmed that it is sufficiently practical.

  Therefore, from the viewpoint of a company manager or a system manager, security can be improved without enormous additional investment. For example, even in industries where security is important, such as banks, insurance and securities, a system in which a large number of client devices are operating, such as a call center, is used. Even in such a system, not only the client device is stolen but also the leakage of information from the discarded client device can be prevented in the case of replacement of the client device due to failure or aging of the client device.

  Further, from the viewpoint of the user of the client device, even if the system according to the present embodiment is introduced, the business can be continued without a sense of incongruity with almost the same feeling as a personal computer. For example, application program development sites need to use a regular personal computer to run an application program or development tool under development, while maintaining confidentiality such as the idea of the program or test being developed. There is a lot of information. Even in such a case, according to the system according to the present embodiment, an application program of a normal personal computer can be operated as it is while improving security.

  As mentioned above, although this invention was demonstrated using embodiment, the technical scope of this invention is not limited to the range as described in the said embodiment. It will be apparent to those skilled in the art that various modifications or improvements can be added to the above-described embodiment. It is apparent from the scope of the claims that the embodiments added with such changes or improvements can be included in the technical scope of the present invention.

FIG. 1 shows an example of the overall configuration of an information system 10 according to the present embodiment. FIG. 2 shows an example of a functional configuration of the client apparatus 110A according to the present embodiment. FIG. 3 shows the state of the information system 10 after transmitting each partial data. FIG. 4 is a conceptual diagram of a process for dividing archive data and generating each partial data. FIG. 5 shows the state of the information system 10 when the client device 110A is stolen or lost. FIG. 6 shows a state of the information system 10 when the client device 110C is in a dormant state. FIG. 7 shows a state of the information system 10 when the client apparatus 110D divides the OS program 70 and transmits it to another computer in this embodiment. FIG. 8 shows an example of a functional configuration of the data management system 230 according to the present embodiment. FIG. 9 shows a first example of a processing flow of the information system 10 according to the present embodiment. FIG. 10 shows an example of various information recorded in the server device 100 according to the present embodiment. FIG. 11 shows a second example of the processing flow of the information system 10 according to the present embodiment. FIG. 12 shows an example of the hardware configuration of the client apparatus 110A according to the present embodiment.

Explanation of symbols

10 information system 20 business OS program 22 user data 24 personal OS program 26 user data 28 partial data 70 OS program 72 partial data 100 server device 110 client device 104 storage device 200 BIOS
210 Business OS
220 Personal OS
230 Data Management System 700 Division Unit 710 Transmission Unit 720 Acquisition Unit 730 Restoration Unit 740 Reception Unit 750 Provision Unit 760 Encryption Unit 1000 CPU
1010 ROM

Claims (13)

An information processing apparatus capable of communicating with at least one other information processing apparatus,
A storage device;
The data stored in the storage device is converted into a predetermined first number of partial data equal to or greater than the reference number by a secret sharing method that requires a predetermined reference number of partial data to restore the data. A dividing unit to divide;
A transmitting unit that transmits at least one partial data of the divided first number of partial data to at least one other information processing apparatus and deletes the partial data from the storage device;
An acquisition unit that acquires at least one partial data from the at least one other information processing device and stores the data in the storage device when restoring data to the storage device;
A restoration unit that restores data to the storage device based on the partial data of the reference number on the condition that the reference number of partial data is stored in the storage device by obtaining the partial data; Information processing apparatus provided. The transmission unit transmits, to the at least one other information processing apparatus, partial data having a number exceeding the number obtained by subtracting the reference number from the first number among the first number of partial data divided. Delete from storage,
When the data is restored to the storage device, the acquisition unit obtains at least partial data of the number of differences between the number of partial data already stored in the storage device and the reference number as the at least one other data. Acquired from one information processing device and stored in the storage device,
The information processing apparatus according to claim 1. The dividing unit reads data used when the information processing device is activated next time during operation of the information processing device from the storage device and divides the data into the first number of partial data,
The acquisition unit acquires at least one partial data from the at least one other information processing device when the information processing device is activated next time,
The information processing apparatus according to claim 2. The division unit generates an archive data by archiving the operating system program and user data stored in the storage device at the end of the operation of the information processing apparatus, and the generated archive data is stored in the first number of archives. Divided into partial data,
The acquisition unit acquires at least one partial data from the at least one other information processing device when the information processing device is activated next time,
The restoration unit restores the operating system program and user data to the storage device based on the reference number of pieces of partial data stored in the storage device, so that the operating system program based on the operating system program is restored. To start the operation,
The information processing apparatus according to claim 2. The dividing unit generates an encryption key for encrypting the archive data of the operating system program and user data stored in the storage device, and divides the generated encryption key into the first number of partial data And
An encryption unit that archives an operating system program and user data to generate archive data when the operation of the information processing apparatus ends, and encrypts the generated archive data with the encryption key and stores it in the storage device In addition,
The acquisition unit acquires at least one partial data from the at least one other information processing device when the information processing device is activated next time,
The restoration unit restores the encryption key to the storage device based on the reference number of partial data stored in the storage device, and decrypts the archive data stored in the storage device with the encryption key To start the operation of the operating system based on the operating system program,
The information processing apparatus according to claim 2.   The information processing apparatus according to claim 2, wherein the acquisition unit acquires the partial data by broadcasting a request to return the partial data to each of the at least one other information processing apparatus. The transmitting unit transmits, to the at least one other information processing apparatus, the partial data whose number exceeds the number obtained by subtracting the reference number from the first number among the divided first number of partial data. Storing identification information of each information processing apparatus that is a destination in the storage device;
The acquisition unit reads the identification information from the storage device, and transmits a request to return the stored partial data to the information processing device identified by the read identification information. The information processing apparatus according to claim 2, wherein From the other information processing apparatus, the partial data transmitted by the transmission unit included in the other information processing apparatus among the first number of partial data divided by the division unit included in the other information processing apparatus is received. Receiving unit for storing in the storage device;
A provision unit that reads out the partial data received from the other information processing apparatus from the storage device in response to a request from the acquisition unit of the other information processing apparatus and provides the partial data to the other information processing apparatus; The information processing apparatus according to claim 2.   The transmitting unit randomly selects, from among the other information processing devices, partial data having a number exceeding the number obtained by subtracting the reference number from the first number among the first number of divided partial data. The information processing apparatus according to claim 2, wherein the information processing apparatus transmits the information to one information processing apparatus.   The dividing unit determines the number of other information processing apparatuses that can receive the partial data by transmitting a request for inquiring whether or not the partial data can be received to each of the other information processing apparatuses. The information processing apparatus according to claim 2, wherein the first number and the reference number are set based on the information. The storage device stores in advance instruction information indicating a range of a position where the information processing device is installed in association with each of at least one other information processing device,
When there are a plurality of other information processing apparatuses capable of receiving partial data, the transmission unit determines a position where each of the plurality of other information processing apparatuses is installed based on the instruction information, By selecting a plurality of information processing devices with different positions from each other among the plurality of other information processing devices, each of the selected information processing devices has a different portion of the first number of partial data. Send data,
The information processing apparatus according to claim 10. A method of processing data stored in a storage device of an information processing apparatus by an information processing apparatus capable of communicating with at least one other information processing apparatus,
The data stored in the storage device is converted into a predetermined first number of partial data equal to or greater than the reference number by a secret sharing method that requires a predetermined reference number of partial data to restore the data. A step of dividing;
Transmitting at least one partial data among the divided first number of partial data to at least one other information processing apparatus and deleting it from the storage device;
Acquiring at least one partial data from the at least one other information processing device and storing it in the storage device when restoring data to the storage device; and
Restoring the data to the storage device based on the partial data of the reference number on the condition that the partial data of the reference number is stored in the storage device due to the acquisition of the partial data. Method. A program for causing an information processing device capable of communicating with at least one other information processing device to process data stored in a storage device of the information processing device,
The information processing apparatus is
The data stored in the storage device is converted into a predetermined first number of partial data equal to or greater than the reference number by a secret sharing method that requires a predetermined reference number of partial data to restore the data. A dividing unit to divide;
A transmitting unit that transmits at least one partial data of the divided first number of partial data to at least one other information processing apparatus and deletes the partial data from the storage device;
An acquisition unit that acquires at least one partial data from the at least one other information processing device and stores the data in the storage device when restoring data to the storage device;
Functions as a restoration unit that restores data to the storage device based on the partial data of the reference number on the condition that the partial data of the reference number is stored in the storage device due to the acquisition of partial data Program to make.

Images